Описание
Resque vulnerable to Reflected Cross Site Scripting through pathnames
Impact
resque-web in resque versions before 2.1.0 is vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint.
Patches
v2.1.0
Workarounds
No known workarounds at this time. It is recommended to not click on 3rd party or untrusted links to the resque-web interface until you have patched your application.
References
https://github.com/resque/resque/issues/1679 https://github.com/resque/resque/pull/1687
Ссылки
- https://github.com/resque/resque/security/advisories/GHSA-r8xx-8vm8-x6wj
- https://nvd.nist.gov/vuln/detail/CVE-2023-50724
- https://github.com/resque/resque/issues/1679
- https://github.com/resque/resque/pull/1687
- https://github.com/resque/resque/commit/e8e2367fff6990d13109ec2483a456a05fbf9811
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resque/CVE-2023-50724.yml
Пакеты
resque
< 2.1.0
2.1.0
Связанные уязвимости
Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. resque-web in resque versions before 2.1.0 are vulnerable to reflected XSS through the current_queue parameter in the path of the queues endpoint. This issue has been patched in version 2.1.0.